From owner-freebsd-ports-bugs@freebsd.org Tue Jan 19 21:46:50 2021 Return-Path: Delivered-To: freebsd-ports-bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3C8214E0E53 for ; Tue, 19 Jan 2021 21:46:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4DL2L212cbz4n0F for ; Tue, 19 Jan 2021 21:46:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 239594E110F; Tue, 19 Jan 2021 21:46:50 +0000 (UTC) Delivered-To: ports-bugs@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 222204E0CD5 for ; Tue, 19 Jan 2021 21:46:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DL2L20N39z4mrG for ; Tue, 19 Jan 2021 21:46:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 002896160 for ; Tue, 19 Jan 2021 21:46:50 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 10JLknvv098730 for ; Tue, 19 Jan 2021 21:46:49 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 10JLknvX098729 for ports-bugs@FreeBSD.org; Tue, 19 Jan 2021 21:46:49 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 252837] [PATCH] x11/xfce4-screensaver: PAM authentication may not work as intended due to the wrong policy filename Date: Tue, 19 Jan 2021 21:46:49 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Only Me X-Bugzilla-Who: genneko217@gmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: xfce@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter flagtypes.name attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Jan 2021 21:46:50 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D252837 Bug ID: 252837 Summary: [PATCH] x11/xfce4-screensaver: PAM authentication may not work as intended due to the wrong policy filename Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: xfce@FreeBSD.org Reporter: genneko217@gmail.com Flags: maintainer-feedback?(xfce@FreeBSD.org) Assignee: xfce@FreeBSD.org Created attachment 221750 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D221750&action= =3Dedit A patch to Makefile x11/xfce4-screensaver port installs a PAM policy file 'xfce-screensaver' in /usr/local/etc/pam.d when the PAM option is enabled. However, the policy is not actually used because of the wrong filename. The correct filename would be 'xfce4-screensaver' as seen in its source. ${WRKSRC}/src/Makefile.am: -DPAM_SERVICE_NAME=3D\""xfce4-screensaver"\" In most cases, it does not cause any problem because the catch-all /etc/pam.d/other policy is used instead. But, it may cause trouble when you have customized PAM policies in some ways. For example, when you have configured pam_krb5 in /etc/pam.d/system to authenticate users with Active Directory or something like that and do not set local UNIX passwords for the users, those users cannot unlock screen with their AD passwords once xfce4-screensaver activates the screen lock. This is because /usr/local/etc/pam.d/xfce-screensaver is not loaded thus /etc/pam.d/system which will be included by the former is also not loaded. I've found the issue in this particular situation. HOW TO CONFIRM Here are the steps I took to confirm which policies are loaded when I unlock the xfce4-screensaver's screen lock. 1. Install x11/xfce4-screensaver on a cleanly installed desktop system. 2. Add the following lines to the top of the PAM policy files in order to log the loaded policy filename. [/etc/pam.d/system] auth optional pam_exec.so /usr/bin/logger system [/etc/pam.d/other] auth optional pam_exec.so /usr/bin/logger other [/usr/local/etc/pam.d/xfce-screensaver] auth optional pam_exec.so /usr/bin/logger xfce-screensaver 3. Monitor /var/log/messages on a local virtual terminal (Ctrl+Shift+Fx) or a SSH terminal on another host. $ tail -F /var/log/messages 4. On the desktop, lock the screen manually. $ xfce4-screensaver-command --lock 5. Unlock the screen by entering the user password. 6. See which PAM policy was loaded. Jan 19 20:55:28 xrdp genneko[20748]: pam.d/other Jan 19 20:55:28 xrdp genneko[20749]: pam.d/other 7. Copy the xfce-screensaver to xfce4-screensaver in /usr/local/etc/pam.d and edit the previously added line to the new file. [/usr/local/etc/pam.d/xfce4-screensaver] auth optional pam_exec.so /usr/bin/logger xfce4-screensaver 8. Lock the screen again. $ xfce4-screensaver-command --lock 9. Unlock the screen. 10. See which PAM policy was loaded. Jan 19 20:57:29 xrdp genneko[20773]: pam.d/xfce4-screensaver Jan 19 20:57:29 xrdp genneko[20774]: pam.d/system Jan 19 20:57:29 xrdp genneko[20775]: pam.d/xfce4-screensaver Jan 19 20:57:29 xrdp genneko[20776]: pam.d/system ADDITIONAL INFORMATION I have also used dwatch(1) utility to monitor file opens and confirm 'xfce4-screensaver' (not 'xfce-screensaver') was opened. $ sudo dwatch -X open ... 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/xfce4-screensaver 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.conf 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/local/etc/pam.d/xfce4-screensaver 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/local/etc/pam.conf 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_exec.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_opie.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libopie.so.8 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/libopie.so.8 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libmd.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_opieaccess.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_unix.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libutil.so.9 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libcrypt.so.5 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /lib/libypclnt.so.4 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/libypclnt.so.4 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_nologin.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_login_access.so= .6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_unix.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_permit.so.6 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /etc/pam.d/other 2021 Jan 19 21:33:56 0.1001 pam_helper[21256]: /usr/lib/pam_permit.so.6 ... --=20 You are receiving this mail because: You are the assignee for the bug.=